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DETAILED ACTION 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth 
in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 

1 1/08/10 has been entered. 

Response to Arguments/Amendments 

2. As per the 35 USC § 1 1 2 rejection, applicant argues that specific disclosure of the 
specification offer correlation of the cited "means" in the claim language. 
However, applicant does not clearly define these means and, as a result, these 
means continue to be subject of interpretations. For example, in response to 
"means for assigning" applicant points to paragraph 29, which reads as follows: 
"One possible extension to the above, as part of tunnel setup negotiation, is the 
propagation of the ACL entries that apply to G from ER to IR, such that 
unacceptable packets can be dropped at the ingress to the security group tunnel (at 
the IR) rather than on egress (at the ER), after they have traversed (and thus 
consumed the resources of) the network". 

The examiner also noted explicit suggestion in the specification that "The operations 
referred to herein may be modules or portions of modules (e.g., software, firmware 
or hardware modules). For example, although the described embodiment includes 
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software modules and/or includes manually entered user commands, the various 
example modules may be application specific hardware modules. The software 
modules discussed herein may include script, batch or other executable files, or 
combinations and/or portions of such files. The software modules may include a 
computer program or subroutines thereof encoded on computer-readable media" 
(para 69). 

The cited paragraph 29 not only does not offer any algorithm structure but in fact 
does not clearly identify any particular element, hardware, software or otherwise, 
that unambiguously could be mapped to the claimed means for assigning. 
3. In regard to the art rejection, applicant argues that the amendment overcomes 
Hamma's teaching because claim 10, for example, now recites two identifiers. 
Furthermore, applicant argues that the tunnel identifier of the tunnel is identified 
based on a routing for the packet, and that the routing is determined based, at least 
in part, on the SGI. 

Applicant's arguments are not found persuasive. The amended claim language 
merely introduces "a tunnel identifier" which requires any. identifier identifying the 
tunnel, not even precluding the tunnel identifier to be a security group identifier (SGI) 
as long as it is identified "based on the routing of the packet". (Note that the 
claimed limitation does not even requires the identifier to be unique). 
However, the phrase "based on" is an extremely broad term, reasonably allowing 
various interpretations. For example, clearly a packet will be routed via different 
route depending on the destination of the packet. Thus, one can be routed to 
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VLAN=1 52 via PE 21 2 and another to VLAN 1 501 via PE 21 3, for example. Based 
on the routing different entities receive and identify the particular packet, including 
the tunnel (VPN) identifier of the packet. However, note that even if there was only 
one destination such as VLAN 1501 from VLAN=101, the process of routing of the 
router 212 requires identification of the tunnel (VPN) identifier or, in other words, 
based on the routing the router identifies a tunnel (VPN) identifier of the packet. 
Similarly, a skilled artisan would readily recognize that the identifier of the particular 
PE (i.e. PE 213) identifies the tunnel, through which a packet is routed to 
VLAN=1 501 , for example, and a skilled artisan would readily recognize that in order 
to route a packet a router (i.e. PE 212) must identify the next hop (i.e. PE 213, or in 
this interpretation, a tunnel identifier) for the packet. Consequently, in the broadest 
reasonable interpretation, Hamma's disclosure meets the newly introduced 
limitation. 

4. Claims 1 , 4, 6-1 1 , 1 4-20, 22, 24-31 , 34-41 and 43-49 have been examined. 

The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior Office Action. 

Claim Rejections - 35 USC §112 

5. Claims 40-41 and 43-49 remain rejected under 35 U.S.C. 112, second paragraph, as 
failing to set forth the subject matter which applicant(s) regard as their invention. 
Although the claims are drafted using "means plus function" limitations, the examiner 
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did not find correlation of the specific "means" to the disclosed structure, acts, or 
materials to carry out the recited functions in the specification. It is noted that even 
though claims 20, 22, 24-26, 30-31 and 34-36 as well as the specification (see the 
corresponding USPUB 2005/0129019, paragraph 68-69, for example) clearly 
suggest the claimed functionality being realized in software, no computer code 
(either specific or a pseudo-code) is offered in the specification that would support 
the claimed "means". Thus, the examiner is unable to interpret the exact scope of 
claim limitations under 35 U.S.C. 112, sixth paragraph. 
Appropriate correction is required. 

Claim Objections 

6. Claims 1 0-1 1 remain objected to because "if said forwarding said packet" in claim 
10, should read "if said forwarding of said packet", and "said classifying said packet" 
in claim 1 1 misses the term "of. 

Appropriate correction is required. 

Claim Rejections - 35 USC §102 

7. Claims 1 , 4, 6-1 1 , 1 4-1 9, 20, 22, 24-31 , 34-41 , 44-49 remain rejected under 35 
U.S.C. 102(e) as being anticipated by Hamma (USPUB 2004/0202171). 

As per claim 10, Hamma teaches assigning a security group identifier (SGI) to a 
packet, wherein said SGI is assigned based, at least in part, on a security group of a 
sender of said packet a said SGI identifies said security group (as illustrated by 
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VLAN/VID shown in Fig. 3 and 4 and associated text, for example), said security 
group is configured to represent a plurality of senders and said plurality of senders 
comprises said sender (as illustrated by VLANs, identified by VI D, disclosed in Fig. 
21 and associated text); classifying said packet based, at least in part, on said SGI 
and determining a routing of said packet, wherein said determining said routing is 
based, at least in part, on said SGI, and said determining said routing comprises 
identifying a tunnel (The user router CPE A 214 transmits a VLAN packet PKT1 that 
has been tagged with VID=101 . When the packet PKT1 enters the edge router PE A 
21 1 , the latter generates an MPLS packet PKT2 by removing the tag and adding, in 
place of the tag, a VPN label (=26: the VPN identifier of Enterprise A) and a 
forwarding label (=push label), and sends the packet PKT2 to the MPLS network 
200. The MPLS packet PKT2 subsequently arrives at the target receive-side edge 
router PE C 213 along the preset route through the MPLS network while its 
forwarding label is replaced. The receive-side edge router PE C 213 creates a 
VLAN packet PKT3 by removing the labels and adding a VLAN identifier (VID=1 501 ) 
to which the destination user router CPE C belongs and then sends this packet to 
the VLAN specified by VID=1 501 . As a result, the VLAN packet PKT3 arrives at the 
user router 231 , see Hamma, para 93 for example); determining whether forwarding 
said packet via said tunnel is permitted, wherein said determining whether said 
forwarding is permitted is based, at least on said SGI and forwarding said packet via 
said tunnel, if said forwarding said packet having said packet via said tunnel is 
permitted (the edge router extracts the value of the VLAN ID (=VID) ) contained in 
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the tag (step 302) and checks to determine whether the VI D value equal to or 
greater than 4096 (step 303). If the VID value is equal to or grater than 4095 ("NO" 
at step 303), this means that the range of 0 to 4095 of VID values has been 
exceeded an the edge router therefore discard this packet. However, if the VID 
values lies within the range 0 to 4095 ("Yes" ate step 303), the edge router refers to 
the VLAN ID and VPN label conversion table 124 (FIG. 9) (step 304) and checks to 
see whether a VPN label value has been discovered (step 305). If the decision if 
"NO", then the edge router removes executes ordinary MPLS processing. If the 
decision is "YES", on the other hand, the edge router removes the tag and imposes 
a Layer-2 label value (VPN label) (step 306), see para 95. Also, note the discussion 
in regard to received packets with VPN labels, i.e. para 99). 
As per the newly introduced limitation "identifying a tunnel identifier of the tunnel 
based on the routing of the packet", the examiner notes that the phrase "based on" 
is an extremely broad term, reasonably allowing various interpretations. (In addition, 
the limitation does not require to be different from a security group identifier or even 
a unique identifier.) For example, clearly a packet will be routed via different route 
depending on the destination of the packet. Thus, one can be routed to VLAN=152 
via PE 21 2 and another to VLAN 1 501 via PE 21 3, for example. Based on the 
routing different entities receive and identify the particular packet, including the 
tunnel (VPN) identifier of the packet. However, note that even if there was only one 
destination such as VLAN 1501 from VLAN=101, the process of routing of the router 
212 requires identification of the tunnel (VPN) identifier or, in other words, based on 
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the routing the router identifies a tunnel (VPN) identifier of the packet. Similarly, a 
skilled artisan would readily recognize that the identifier of the particular PE (i.e. PE 
21 3) identifies the tunnel, through which a packet is routed to VLAN=1 501 , for 
example, and a skilled artisan would readily recognize that in order to route a packet 
a router (i.e. PE 212) must identify the next hop (i.e. PE 213, or in this interpretation, 
a tunnel identifier) for the packet. Consequently, in the broadest reasonable 
interpretation, Hamma's disclosure meets the newly introduced limitation (refer for 
more details to paragraph 3, above). 

8. As per claim 1 1 , the classification phase at a transmit-side edge router precedes the 
forwarding of the packet by the router. Thus, the previously discussed forwarding is 
clearly based, at least in part, on a result of said classifying of said packet. 

9. As per claims 14-15, VLAN ID and VPN label conversion table 124 (as shown in Fig. 
9 and detailed in Fig. 4) meets the limitation of ACL, a copied VI D (VLAN ID) 
mapped against the ACL entries in order to find the corresponding to find VPN label 
VI D meets the limitation of an index. 

10. As per claim 16, a transmit-side edge router meets the limitation of an ingress router 
and the recipient-side router, an egress router. 

1 1 .As per claim 17, Hamma teaches whether said packet can be forwarded by the 
egress router based on the SGI (The receive-side edge router checks to see 
whether the MPLS packet has arrived (step 31 1). If the MPLS packet has arrived, 
the edge router removes the forwarding label attached as Layer 1 (step 312). Next, 
the edge router extracts the Layer-2 VPN label (step 313), refers to the table 124 
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indicating the correspondence between the VLAN ID (=VID) and VPN label (step 
314) and checks to see whether the VID has been found (step 315). If the VID has 
not been found, the edge router discards the packet. If the VID has been found, 
however, the edge router removes the Layer-2 label and adds a tag that contains the 
VID to create a VLAN packet (step 316). Next, the edge router refers to the VPN 
label table 124 to find the output interface and sends the VLAN packet to this 
interface (step 317). The destination user router CPE C receives the VLAN packet 
and executes predetermined processing (step 318), see para 99, for example). 

12. As per claim 18, as noted in the above paragraph, the egress router (receive-side 
edge router) at least retrieves the SGI (VPN label), an identifier of the tunnel (VID) 
and a destination of the packet (destination address (see MAC address in Fig. 3). 

13. As per claim 19, VLAN ID and VPN label conversion table 124 (as shown in Fig. 9 
and detailed in Fig. 4) meets the limitation of ACL a copied VPN label mapped 
against the ACL entries in order to find the corresponding VPN meets the limitation 
of an index. 

14. It is noted that task in computing tasks are accomplished by executing computer 
code/set of instructions stored on a computer readable storage medium using a 
processor and content-addressable memory. Furthermore, the components/set of 
components offering the claimed functionalities meet the limitations of the 
corresponding/claimed means/unit labels cited in the claim language. Additionally, 
note that the forward information is kept in a header (see Fig. 3, 17A and B and 20, 
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for example). As a result, claims 1 , 4, 6-9, 20, 22, 24-31 , 34-41 , 44-49 are 
substantially similar to claims 1 ; thus, claims 10-11, 1 4-1 9 and are similarly rejected. 

Conclusion 

Examiner has cited particular paragraphs and/or sections and/or page numbers 
in the reference(s) as applied to the claims above for the convenience of the applicant. 
Although the specified citations are representative of the teachings of the art and are 
applied to the specific limitations within the individual claim, other passages and figures 
may apply as well. It is respectfully requested from the applicant in preparing 
responses, to fully consider the references in entirety, as potentially teaching, all or part 
of the claimed invention, as well as the context of the passage, as taught by the prior art 
or disclosed by the Examiner 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571) 272- 
3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/Peter Poltorak/ 
Examiner, Art Unit 2434 



